add symm to the single config; still seems to work

Jami Cogswell · Jami Cogswell · commit 01c2a8cbba76 · 2022-10-12T08:51:22.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -8,13 +8,17 @@ import semmle.code.java.dataflow.TaintTracking
 //import semmle.code.java.dataflow.FlowSources
 //import semmle.code.java.dataflow.internal.DataFlowNodes
 /**
- * An Asymmetric (RSA, DSA, DH) key length data flow tracking configuration.
+ * A key length data flow tracking configuration.
  */
-class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
-  AsymmetricKeyTrackingConfiguration() { this = "AsymmetricKeyTrackingConfiguration" }
+class KeyTrackingConfiguration extends DataFlow::Configuration {
+  KeyTrackingConfiguration() { this = "KeyTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
     //state instanceof DataFlow::FlowStateEmpty and
+    // SYMMETRIC
+    source.asExpr().(IntegerLiteral).getIntValue() < 128 and state = "128"
+    or
+    // ASYMMETRIC
     source.asExpr().(IntegerLiteral).getIntValue() < 2048 and state = "2048"
     or
     source.asExpr().(IntegerLiteral).getIntValue() < 256 and state = "256"
@@ -23,6 +27,16 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    // SYMMETRIC
+    exists(MethodAccess ma, JavaxCryptoKeyGenerator jcg |
+      ma.getMethod() instanceof KeyGeneratorInitMethod and
+      jcg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = "AES" and
+      DataFlow::localExprFlow(jcg, ma.getQualifier()) and
+      sink.asExpr() = ma.getArgument(0) and
+      state = "128"
+    )
+    or
+    // ASYMMETRIC
     exists(MethodAccess ma, JavaSecurityKeyPairGenerator jpg |
       ma.getMethod() instanceof KeyPairGeneratorInitMethod and
       (
@@ -67,6 +81,7 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
     )
   }
 
+  // ! FlowStates seem to work without even including a step like the below... hmmm
   override predicate isAdditionalFlowStep(
     DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
     DataFlow::FlowState state2
@@ -76,7 +91,6 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
       state2 = intLiteral.toString() and
       node1.asExpr() = intLiteral and
       node2.asExpr() = intLiteral
-      //intLiteral.toString().toInt() = 64 // test viability of this craziness
     )
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -16,10 +16,9 @@ import semmle.code.java.security.InsufficientKeySizeQuery
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink
-where
-  exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
-  or
-  //   exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
-  //   exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
-  exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
+where exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
+//or
+//   exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
+//   exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
+//   exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
 select sink.getNode(), source, sink, "This $@ is too small.", source.getNode(), "key size"
diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
@@ -1,8 +1,8 @@
 import java
 import TestUtilities.InlineExpectationsTest
 import semmle.code.java.security.InsufficientKeySizeQuery
-import DataFlow::PathGraph
 
+//import DataFlow::PathGraph // Note: importing this messes up tests - adds edges and nodes to actual file...
 class InsufficientKeySizeTest extends InlineExpectationsTest {
   InsufficientKeySizeTest() { this = "InsufficientKeySize" }
 
@@ -11,12 +11,12 @@ class InsufficientKeySizeTest extends InlineExpectationsTest {
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasInsufficientKeySize" and
     exists(DataFlow::PathNode source, DataFlow::PathNode sink |
-      exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
-      or
+      exists(KeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
+    |
+      //or
       // exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
       // exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
-      exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
-    |
+      //exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
       sink.getNode().getLocation() = location and
       element = sink.getNode().toString() and
       value = ""
